Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2017 > February > 03

Ismdoor is a remote access Trojan used by the Greenbug cyberespionage group against different organizations in the Middle East. In addition to collecting data from an infected system, it has the ability to download and install binaries. In this blog post, we will shed some light on its network activity and show how to detect it using RSA NetWitness.

 

After infecting a system, the malware reaches out to its C2 server as follows:

 

 

Some Ismdoor binaries use a different filename to check the connection with the server:

 

 

If the response from the server is ‘Ok’, the malware knows that it can start receiving commands from the server so it sends another POST request:

 

 

In this case Ismdoor will execute the systeminfo command on the infected system to collect its information. It saves the command output to a temp file ‘test.txt’ in C:\Users\<user>\AppData\Local\Microsoft\Windows\TmpFiles. The content of the text file is obfuscated, saved to another temp file in the same directory. The obfuscated data is submitted to the server and both files are deleted.

 

 

The URL is not the same across Ismdoor variants:

 

 

Based on those network artifacts and assuming that the appropriate meta keys are enabled, two different queries can be used to detect Ismdoor network activity:

 

  • First to detect the check-in you can use:

    service = 80 && action = 'post' && referer !exists && directory = '//home/' && client = 'winhttpclient'

  • Second to detect the C2 activity you can use:

    service = 80 && action = 'post' && referer !exists && query begins 'commandid=cmdresult='

 

For more information on Greenbug, please check Symantec blog here. Scan results for Ismdoor variants can be found here and here.

 

All the IOC from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following query:
   threat.desc = ‘apt-Ismdoor-c2’

Unfortunately its not currently possible to see if the maximum sessions behind on an ESA easily. This script enables it to be monitored.

 

Usage:

./check_esa_sessions_behind.sh -w VALUE -c VALUE | -h

This plug-in is used to be alerted when maximum ESA behind sessions is reached

-w/c Sessions behind integer
To warn when 200 sessions behind and critical when 300 sessions behind
example: ./check_esa_sessions_behind.sh -w 200 -c 300
 ./check_esa_sessions_behind.sh -w 1 -c 2
CRITICAL behind (>2), Sessions behind: : 26167 |Sessions behind=26167 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 2
CRITICAL behind (>2), Sessions behind: : 35446 |Sessions behind=35446 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 2
CRITICAL behind (>2), Sessions behind: : 35446 |Sessions behind=35446 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 2
CRITICAL behind (>2), Sessions behind: : 30390 |Sessions behind=30390 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 2
CRITICAL behind (>2), Sessions behind: : 30390 |Sessions behind=30390 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 40000
CRITICAL behind (>40000), Sessions behind: : 52687 |Sessions behind=52687 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 50000
CRITICAL behind (>50000), Sessions behind: : 52687 |Sessions behind=52687 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 50000
CRITICAL behind (>50000), Sessions behind: : 50476 |Sessions behind=50476 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 50000
CRITICAL behind (>50000), Sessions behind: : 50476 |Sessions behind=50476 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 50000
CRITICAL behind (>50000), Sessions behind: : 54902 |Sessions behind=54902 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 50000
CRITICAL behind (>50000), Sessions behind: : 60099 |Sessions behind=60099 ;;;
[root@rsaesa ~]# ./check_esa_sessions_behind.sh -w 1 -c 500000
WARNING behind (>1), Sessions behind: : 60099 |Sessions behind=60099 ;;;

If no values for WARN or CRITICAL are specified then a warning value of 500 and a critical value of 1000 is assumed. These should be adjusted as to what is normal in your environment.

One of my favorite troubleshooting commands as well as a method to archive and export configuration data for offline analysis is the whatiswrong command from NwConsole.

 

I am sometimes forgetful when looking for the commands I need so i wrote a wrapper script for this command that asks for the username, password, host and port to connect and grab the relevant command output as well as the error logs for the last 100 events for the last x days (configurable in the script).

 

Makes it very easy to run this command before you make a change, and then after the change to archive the configurations as well as look for any errors that may be in the logs.

 

output is written to a file locally where the script is run from with the date and hostname of the appliance/service .

 

Comments and improvements are welcome, hope it helps save typing.

Filter Blog

By date: By tag: